Share this story

If you’re like most people, you’re annoyed by passwords. You’ve got dozens to remember — some of them tortuously complex — and on any given day, as you read e-mails, send tweets, and order groceries online, you’re bound to forget one, or at least mistype it. You may even be one of those unfortunate people who’ve had a password stolen, thanks to the dodgy security on the machines that store them.

But who’s to blame? Who invented the computer password?

Like the invention of the wheel or the story of the doorknob, the password’s creation is shrouded in the mists of history. Romans used them. Shakespeare kicks off Hamlet with one — “Long live the King” — when Bernardo must prove he’s a loyal soldier of the King of Denmark. But where did the first computer password show up?

It probably arrived at the Massachusetts Institute of Technology in the mid-1960s, when researchers at the university built a massive time-sharing computer called CTSS. The punchline is that even then, passwords didn’t protect users as well as they could have. Technology changes. But, then again, it doesn’t.

Nearly all of the computer historians contacted by Wired in the past few weeks said that the first password must have come from MIT’s Compatible Time-Sharing System. In geek circles, it’s famous. CTSS pioneered many of the building blocks of computing as we know it today: things like e-mail, virtual machines, instant messaging, and file sharing.

Fernando Corbató — the man who shepherded the CTSS project back in the mid-1960s — is a little reluctant to take credit. “Surely there must be some antecedents for this mechanism,” he told us, before questioning whether the CTSS was beaten to the punch by IBM’s $30 million Sabre ticketing system, a contraption built in 1960, back when $30 million could buy you a handful of jetliners. But when we contacted IBM, it wasn’t sure.

According to Corbató, even though the MIT computer hackers were breaking new ground with much of what they did, passwords were pretty much a no-brainer. “The key problem was that we were setting up multiple terminals which were to be used by multiple persons but with each person having his own private set of files,” he told Wired. “Putting a password on for each individual user as a lock seemed like a very straightforward solution.”

Back in the ’60s, there were other options, according to Fred Schneider, a computer science professor at Cornell University. The CTSS guys could have gone for knowledge-based authentication, where instead of a password, the computer asks you for something that other people probably don’t know — your mother’s maiden name, for example.

But in the early days of computing, passwords were surely smaller and easier to store than the alternative, Schneider says. A knowledge-based system “would have required storing a fair bit of information about a person, and nobody wanted to devote many machine resources to this authentication stuff.”

The irony is that the MIT researchers who pioneered the passwords didn’t really care much about security. CTSS may also have been the first system to experience a data breach. One day in 1966, a software bug jumbled up the system’s welcome message and its master password file so that anyone who logged in was presented with the entire list of CTSS passwords. But that’s not the good story.

Twenty-five years after the fact, Allan Scherr, a Ph.D. researcher at MIT in the early ’60s, came clean about the earliest documented case of password theft.

In the spring of 1962, Scherr was looking for a way to bump up his usage time on CTSS. He had been allotted four hours per week, but it wasn’t nearly enough time to run the detailed performance simulations he’d designed for the new computer system. So he simply printed out all of the passwords stored on the system.

“There was a way to request files to be printed offline by submitting a punched card,” he remembered in a pamphlet written last year to commemorate the invention of the CTSS. “Late one Friday night, I submitted a request to print the password files and very early Saturday morning went to the file cabinet where printouts were placed and took the listing.”

To spread the guilt around, Scherr then handed the passwords over to other users. One of them — J.C.R. Licklieder — promptly started logging into the account of the computer lab’s director Robert Fano, and leaving “taunting messages” behind.

Scherr left MIT in May 1965 to take a job at IBM, but 25 years later he confessed to Professor Fano in person. “He assured me that my Ph.D. would not be revoked.”

1) Input mechanisms have improved over the years. Switches and who knows what for input. I can't even imagine it and I'm nearly 40 years old.2) I have no idea what have those pieces of "equipment" are for. Tape drives I get. There's something that looks like an industrial sized printer there too. The rest, I'm clueless without hitting the historical books to look the stuff up. Will people look back at our data centers today in 50 years with the same opinion?3) I've got more storage on a tiny SIM card in my phone. We've shrunk storage down from building size to pin head size for that amount of bits.

Remarkable advancement for 50 years work. Passwords or no passwords, if I had to work under those conditions today, I'd have never gone into computer science.

Being a transistor based system, i take it the actual computer is the big thing in the back. And that would basically be the CPU, with a computing power that can be rivaled by a alarm clock these days.

The console was already semi-obsolete by the time of this photo.Jobs were submitted as cards, the cards were copied onto tape, and then the OS loaded the jobs from tape.

The console was only used to boot the machine, handle serious error conditions, and so on.

Obviously in the case of this particular machine, there was a timesharing OS, so you had interactive terminal (probably paper teletype) input of some sort.

It looks to me like you've got the console and line printer up front, some card readers behind them, then the row of tape drives, then the processing units.

Interestingly enough, you could get a CRT monitor to display vector graphics on the very earliest IBM scientific computers. Mainly the idea was to record the image to film, but you could get a display monitor suitable for viewing as well.

Women also did most of the mathematical calculations on the Manhattan Project.

I was on board with that Stanford article right up until it claimed women were less likely to take or excel in math classes in the mid 60's. The entire second half of the article is fanciful conjecture and false logic which fails to match actual statistics.

Also, the impetus to get women out of certain jobs in the late 60's was more a result of the baby boomers reaching employment age. The size of the job seeking population versus jobs available had a great deal more to do with the civil rights and gender equality movements than most people are willing to acknowledge due to blind idealism. Also, much of corporate America indirectly funded gender equality movements or shifted advertising towards the liberated female ideal in an effort to increase the population of financially enfranchised consumers.

Yeah, so, are you trying to say that was a bad thing?.

No, just trying to disabuse people of the idea that civil rights and gender equality movements were based primarily on their core ideals which they espoused. Also, it is important to consider the damage to society such movements have created due to their abrupt and swift propagation. The speed of gender equality adoption has had many negative effects, such as increased divorce which has decreased the rate at which children reach adult maturity and similar. Much of this can be attributed to the core economic motivators, as the idealism basis of such a movement would have moved at a speed society and law would have been able to cope with more appropriately.

Basically, I'm saying the ideals were not the driving force, and thus we have lots of unintended negative consequences.

Social reform follows hysteresis curves, thus the path to get to a point has an effect on the path of equilibrium. An example would be the increase of violent misogyny (wife beaters) is related and tied to the rate at which women's equality and in some areas, super-equality (being more than equal) has been achieved.

We've reached a period of social oscillation which is quite unhealthy in the west. A great example would be the military movement against Afghanistan following 9/11. For the first couple of years, most people supported military action. Within 5 years, the country had polarized in the opposite direction.

such as increased divorce which has decreased the rate at which children reach adult maturity and similar.

huh?

Quote:

We've reached a period of social oscillation which is quite unhealthy in the west. A great example would be the military movement against Afghanistan following 9/11. For the first couple of years, most people supported military action. Within 5 years, the country had polarized in the opposite direction.

Not sure what your railing against here. That people should not be swayed by emotional turmoil, or that one should stay ones course, come hell or high water, once set?

It looks to me like you've got the console and line printer up front, some card readers behind them, then the row of tape drives, then the processing units.

Also note that the dapper operator is wearing a bow tie, which cannot accidentally get caught in the mechanical workings.

(Well, ok, it's probably an IBM sales guy, but I think everyone who works in a data facility should dress like that. I also like the curtained windows in the back, which provide sufficient daylight to keep the tapes drives happy, yet affords modesty for the printers.)

Pretty sure that just writing the passwords down on a piece of paper is just as secure as using an online service in the long run.

I guess it is where you keep that piece of paper that matters. I was looking at a friends Facebook pictures, and in a picture of a nice cup of some exotic tea, there, at the back, on a yellow PostIT was the URL, user name and password that would have allowed me to post an official press release on behalf of the political party my friend works for.

Also note that the dapper operator is wearing a bow tie, which cannot accidentally get caught in the mechanical workings.

(Well, ok, it's probably an IBM sales guy, but I think everyone who works in a data facility should dress like that. I also like the curtained windows in the back, which provide sufficient daylight to keep the tapes drives happy, yet affords modesty for the printers.)

Gosh, that one made me laugh heartily.I wish I knew by which process this explanation formed inside your mind .

If the 7090 was anything like the 7080 i ran back when, the memory box was about six feet long, five feet high, and about a foot thick...and was a big 80k of transistor memory.

The 729 tapedrives had a door that lowered, the tape was mounted on the hub on the left and locked in place and then the lead run under the head to the right hub, spun up to take up slack and then advanced and dropped loops down into the left and right air columns as it loaded to the reflective marker when you hit the reset and load buttons on the top left. The drive address was a number on the upper left that could be dialed around to become any drive number allowed in the series, although you could only have one of any given number "active" at a time with most of the programs we had.

The ability to program from the console allowed you to write small programs in short order to create output; even output tapes. This was always good for a certain amount of amusement in creating fake output tapes that would demand certain obscure outputs be mounted on the printers and then promptly terminate after the form had been mounted, aligned, and the console message replied to....

cards, decollating forms, bursting outputs, running interpreters, collators, card readers and punches... the dirty side of the good old days.

Lastpass/keepass/passwordsafe/etc + Diceware is the way to go whenever possible.

Any recommendation on password managers? I've used Keepass for years at work but there isn't a compelling port for the Mac. KeepassX is buggy as hell and database support across versions/platforms lacks uniformity. I've heard mPassword works well and there is an "i" version but I'd prefer an open source version. I guess you can't have it all...

"The CTSS guys could have gone for knowledge-based authentication, where instead of a password, the computer asks you for something that other people probably don’t know — your mother’s maiden name, for example."

Other posts have refered to this and I want to add my voice... This has got to be the dumbest idea I have ever read regarding security.

Back in the ’60s, there were other options, according to Fred Schneider, a computer science professor at Cornell University. The CTSS guys could have gone for knowledge-based authentication, where instead of a password, the computer asks you for something that other people probably don’t know — your mother’s maiden name, for example.

Seriously? A CS professor at Cornell doesn't realize that passwords ARE knowledge-based authentication. His proposed system is subject to the exact same problems as passwords.

I'd say they are worse. Things like my mother's maiden name aren't widely known, but they aren't hard to find out and people like my sister do know. And some of the questions are a pain, like when presented with "What is your favorite pasttime?" I have to ask at what point in my life I set the account. Did I say Magic The Gathering, Go, or SWTOR? And how did I abbreviate it at that time (only Go lacks multiple abbreviations, and even then I'll change between Go, Baduk, or Wei Qi depending on if the person I'm talking to learned the American/Japanese, Korean, or Chinese style).

If the 7090 was anything like the 7080 i ran back when, the memory box was about six feet long, five feet high, and about a foot thick...and was a big 80k of transistor memory.

The 729 tapedrives had a door that lowered, the tape was mounted on the hub on the left and locked in place and then the lead run under the head to the right hub, spun up to take up slack and then advanced and dropped loops down into the left and right air columns as it loaded to the reflective marker when you hit the reset and load buttons on the top left. The drive address was a number on the upper left that could be dialed around to become any drive number allowed in the series, although you could only have one of any given number "active" at a time with most of the programs we had.

The ability to program from the console allowed you to write small programs in short order to create output; even output tapes. This was always good for a certain amount of amusement in creating fake output tapes that would demand certain obscure outputs be mounted on the printers and then promptly terminate after the form had been mounted, aligned, and the console message replied to....

cards, decollating forms, bursting outputs, running interpreters, collators, card readers and punches... the dirty side of the good old days.

Damn, i would love to hear war stories from the mainframe era over a couple of beers.

In high school we had access to a DEC PDP-8/I running TSS-8. Passwords could be up to 4 characters long!

You entered an account number follow by the password. Ours was 3,ME (uppercase only)

The sequence for the schools on the system was ME, YOU, NOW, IS, THE, TIME, FOR, ALL, GOOD, MONK, FLOP.

A wonderful system to learn programming on with its 16K of 12 bit words for the TSS, simulating 4K of space to each user.

The teachers accused us of having a machine language program that could spit out the passwords before it would crash the system. Actually we did what is now called "social engineering" by calling our friends at the other schools and asking them what the password was. It was usually written on the blackboard over the ASR-33 teletype with acoustical phone coupler communicating at a blistering 110 BAUD (10 CPS).

A group of us tried to crack the security for a month, since we were tired of the teacher's story about what they thought we had. We had the name, we figured it was up to us to earn it. We failed. About a month later I accidentally (really!) cracked it. Seems you could watch the input/output buffers if you knew where to look. I was doing it to spy on users at other terminals when I fell behind in my pointer chasing and ended up watching a user log in. Was totally taken by surprise by that. System documentation said you did not have a buffer until you were logged in. I guess it was an attempt of misdirection, but it was the beginning for my lifelong "talent" for finding bugs in software.

Damn, i would love to hear war stories from the mainframe era over a couple of beers.

I've got the war stories if you've got the beer. Yes, we did have to come in early to warm up the delay line memory before the machine would operate reliably. Yes, we could confuse the operators by having the console print, "Mount APIZZA on D07" where D07 was a disk drive with removable disk packs. And yes, it *was* up hill both ways. In the snow.